Downadup/ Conficker worm versus HIPS

[aigle]

The original inspiring thread by Rmus is here.

http://www.wilderssecurity.com/showthread.php?t=230837

It,s a very clever piece of malware, uses an aurorun.inf file and a dll( hidden as a vmx file) to do its dirty tricks and spreads via USB sticks.

CFP - on default interactive security mode, you will get only one pop up that is execution of dll/ vmx file by rundll32. If u allow it, no more pop ups and malware is free to do all its actions. CFP however did label it as suspicious via file heuristics. PASS though I am not so happy about this pass.

EQS - seems similat to CFP though I tested it in hurry. PASS

GesWall - you need to make a rule to isolate ur USB drive in GW( see the pic). It stopped the worm dead. PASS

TF - Fail, totally blind.

Come on. Try ur HIPS once again.

BTW - more pics are here but u need extremely tight rules to get many( though not all) of these pop ups and such rules are practically not feasible at all.

http://rapidshare.com/files/186335754/pics.zip

[PiCo]

Someone test it with SandboxIE

[ThunderZ]

Curious about DS as well since it monitors flash drives as they are plugged in.

[sded]

What about the Prevx Edge discussion of their success at http://www.prevx.com/blog.asp ? Is HIPS simply the wrong tool for some of the modern malware?

[sded]

And what about Online Armor, another current modern HIPS?

[Franklin]

Sample files I picked up.

[Kees1958]

Quote:

Originally Posted by aigle

The original inspiring thread by Rmus is here.

http://www.wilderssecurity.com/showthread.php?t=230837

It,s a very clever piece of malware, uses an aurorun.inf file and a dll( hidden as a vmx file) to do its dirty tricks and spreads via USB sticks.

GesWall - you need to make a rule to isolate ur USB drive in GW( see the pic). It stopped the worm dead. PASS

TF - Fail, totally blind.

Aigle I can make a pass custom rule in ThreatFire, like you did with GeSWall

So either you consider GeSWall a FAIL or you reward ThreatFire with a PASS

Aigle do you have two USB sticks and two or more USB ports? Would you mind testing GeSWall with the custom rule you applied for USB stick (harddisk1) with the virus on teh second USB stick. I bet GeSWall will fail miserably

Come on man, use one stick to measure results

[Mosqu]

Comodo Defense+

It's often the problem with "classical" HIPS: the user has to deccide himself what to allow or block.

[alex_s]

Quote:

Originally Posted by sded

And what about Online Armor, another current modern HIPS?

If somebody provides a dropper, I can report the results.

[Peter2150]

Caution: Please don't post links. They will certainly be removed.

Pete

[aigle]

Quote:

Originally Posted by Kees1958

Aigle I can make a pass custom rule in ThreatFire, like you did with GeSWall

So either you consider GeSWall a FAIL or you reward ThreatFire with a PASS



Come on man, use one stick to measure results

Hmmm.... I don,t agree Kees. TF is supposed to intercept it by default without any custom rules at all as it intercepts other autorun malware. When u add custom rules in TF, it acts as a typical classical HIPS and any classical HIPS willl for sure intercept this malware. I just tested default behav blocker function of TF.

As far as GW is concerned, it,s lacking the feature to protect USB sticks by default. I just added it manually. Development of GW is stalled ofcourse. Basic functionality is there but u need to implement it somehow.

I used this rule in GW as there seemed no other way for me to run this malware isolated. It,s not a PASS infact I agree unless u tweak GW as it lacks protection of USB sticks by default.

Quote:

Originally Posted by Kees1958

Aigle do you have two USB sticks and two or more USB ports? Would you mind testing GeSWall with the custom rule you applied for USB stick (harddisk1) with the virus on teh second USB stick. I bet GeSWall will fail miserably

If u run malware isoalted, it will not be able to do anything. If u run it un-isolated, it can do anything. That,s how GesWall or any other such product is supposed to do.

[Kees1958]

Quote:

Originally Posted by aigle

I used this rule in GW as there seemed no otehr way for me to run this malware isolated. It,s not a PASS infact I agree unless u tweak GW as it lacks protection of USB sticks by default.

The ability to apply minor nuances marks a great mind. You are a sport

[HURST]

Will test SandboxIE later when I'm at home, but I have no doubt it will pass, with the USB drive forced to run sandboxed.

[andyman35]

Quote:

Originally Posted by HURST

Will test SandboxIE later when I'm at home, but I have no doubt it will pass, with the USB drive forced to run sandboxed.

Your faith in the wondrous SandboxIE is well placed,I'm certain it'll pass,but await your findings in any case.

Has anyone tried this with Mamutu yet?

[Kees1958]

Quote:

Originally Posted by HURST

Will test SandboxIE later when I'm at home, but I have no doubt it will pass, with the USB drive forced to run sandboxed.

Guys, again in regard to Sandboxie
- let's make a special configuration rule (force USB drive run sandboxed)
- ghee it passes a real malware sample

What in regard to XP:
- I have a SRP rule blocking executables from running in RECYCLER
- Ghee my windows XP passes in Limited User Account, what a great HIPS old XP is, it passes!

When you disagree with the second observation, why do you agree with the first observation?

There is something I seem to misunderstand completely , so better keep my mouth shut

[HURST]

Quote:

Originally Posted by Kees1958

Guys, again in regard to Sandboxie
- let's make a special configuration rule (force USB drive run sandboxed)
- ghee it passes a real malware sample

What in regard to XP:
- I have a SRP rule blocking executables from running in RECYCLER
- Ghee my windows XP passes in Limited User Account, what a great HIPS old XP is, it passes!

When you disagree with the second observation, why do you agree with the first observation?

There is something I seem to misunderstand completely , so better keep my mouth shut

Actually Kees, I don't disagree with your 2nd observation.
SandboxIE with it's default config would not protect from this. A default XP is vulnerable. I think some classic HIPS could be vulnerable too.
But when you design your setup to cover infection vectors, you only see PASSES. It doesn't matter if it's a HIPS, a sandbox, LUA, or other method. The important thing is to have the defenses well planned.

For what it's worth, If I had XP Pro, and could use SRP, I probably wouldn't use Sandboxie, but I'm stuck with XP Home...

[Creer]

Nice test, what about OA or DefenseWall?

[Joerg]

According to the PC Tools Forum the new Threatfire Beta will detect the conficker worm.

regards,
Joerg

[chris2busy]

a)to be honest,any classical HIPS should give you at least 1 execution warning...soooo if you just pop the thumb drive in and you get a prompt,ya you deserve to be infected

b) @ aigle i don't know why you say that it needs very deep rules (in CPF) to get the right warning..anyone that uses cpf adds those and paranoid mode has them on by default

http://www.imageshack.gr/files/kccat7zu2wqzdfzed5ze.jpg

[icr]

Reports of Eset v 3.0.669.0

Edit: Sorry if my post is off topic don't know much abt HIPS

[alex_s]

OA is much the same to the others. There was execution alert about jwgkvsq.vmx wanting to run. Once allowed computer is infected.

[jmonge]

Quote:

Originally Posted by alex_s

OA is much the same to the others. There was execution alert about jwgkvsq.vmx wanting to run. Once allowed computer is infected.

what about if you allow the pop up to run it in comodo or other hips but you have a rule to denny access to write to the hard disk?

[neksus]

Quote:

Originally Posted by Kees1958

Would you mind testing GeSWall with the custom rule you applied for USB stick (harddisk1) with the virus on teh second USB stick.

Hey, what about the case of 2+ HDDs?

It would be pretty good if there was a way to add rule for removable drives automatically, without putting the user through the misery of doing the computation on total number of HDDs & USB sticks by hand

[chris2busy]

Quote:

Originally Posted by jmonge

what about if you allow the pop up to run it in comodo or other hips but you have a rule to denny access to write to the hard disk?

deny copying files from a thumb drive?
then why buy it at all?thats why you use it anyway,to copy stuff

*hint* if LUA passes the sample then OA with checked the option "run unknown apps as untrusted" passes it too. duh!

some1 pm me the sample please?

[jmonge]

Quote:

Originally Posted by chris2busy

deny copying files from a thumb drive?
then why buy it at all?thats why you use it anyway,to copy stuff

*hint* if LUA passes the sample then OA with checked the option "run unknown apps as untrusted" passes it too. duh!

some1 pm me the sample?

anyway i think that defensewall will run this sucker as untrusted from a usb devise making it run with limits rigths
note:not tested yet on my part